A new unpatched Zero-day vulnerability found in Adobe Type Manager Library ( ATMFD.dll ) shipped into Windows allows attackers to run arbitrary codes remotely in victim’s systems . 

A Zero-day exploit is an attack that is based on flaws unknown to the software creator ( until it is implemented ). Meanwhile the bug is fixed by software vendor, the vulnerabilities are exploited.

Adobe Type Manager Library’s Zero-day attack is limited and targeted as noticed by the company , it is recommended to users who feel like being targeted need to follow the steps in recent Microsoft’s security advisory – ADV200006 to reduce the risk.

Currently supported Windows versions like Windows 10/7/8.1, Windows RT , Windows Server 2008/2012/2016/2019 also Windows 7 are observed to be the affected ones . A detailed list is present in the advisory mentioned above .

According to Microsoft , the affected OS contain two remote code execution vulnerabilities caused by , the way Windows version of ATM library handles Adobe Type 1 ( worldwide standard for digital type fonts ) PostScript format inside Windows.

An attacker can take advantage of this flaw in many ways , like persuading a user to open specially crafted files in the File Explorer’s Preview Pane or Details Pane.

The workarounds and their impacts included in the aforementioned link :

  • Disabling the Preview and Details Pane of Windows Explorer ( or File Explorer ) – this will not allow Explorer to auto display OpenTypeFonts format files or any other files crafted maliciously by the attacker . But this doesn’t restrict user to unknowingly open the malicious files . 
  • Disabling the WebClient service in affected systems – If WebClient is disabled remote web content authoring operations through WebDAV ( an extension of HTTP ) will be down and WebDAV request are not processed . Attacker will still be able to perform remote activities through victim’s web, but victim’s confirmation is required before launching any arbitrary programs from internet.
  • Renaming the ATMFD.dll file – ATMFD.dll is a kernel module which provides support to execute apps dependent on embedded font technology. Applications which rely on OpenType fonts may stop working if Adobe Type Manager Font Driver ( ATMFD ) is disabled . However, Windows 10 version 1709 and above doesn’t contain ATMFD.dll .

But in systems with Windows 10 , though the attacker succeeds in exploitation , the code execution is carried in AppContainer sandbox context with limited privileges and capabilities , noted by Microsoft.

The company is working on developing fixes to this bug .”Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month .”, reads the advisory guide.